Painless script regex

Boris_Boris · March 16, 2021, 8:16pm

I have a event.original field -> type String.
"2021-03-15T16:11:12.333659+00:00 10.10.252.2 id=firewall sn=xx time=2021-03-15 16:11:12 UTC fw=8.8.8.8 pri=5 c=256 m=38 msg=ICMP packet dropped due to Policy proto=icmp type=3 icmpCode=3"

I want to extract scripted field with regex.

if(!doc['event.original'].empty)
 {
 String s = doc['event.original'].value;
 String clr = s.replace("\"","");


 if ( clr =~ /(?<=msg=)\w+/ ) {
  return "matc"
 } 
 else {
  String test = doc['event.original'].value;
  String test1 = test.replace("\"","");
  return  test1 
 }
}

This script returned "matc"
But when i try to return value with:

if(!doc['event.original'].empty)
 {
 String s = doc['event.original'].value;
 String clr = s.replace("\"","");
 def m = /(?<=msg=)\w+/.matcher(clr);

 if ( m.matches()  ) {
  return "matc"
 } 
 else {
  return  "not matched"
 }
}

This returns "not matched"
so i can't use scriptied field with value of "ICMP packet dropped due to Policy"

Boris_Boris · March 17, 2021, 12:32pm

problem resolved by using m.find()

Topic		Replies	Views
Scripted fields - regex always return false Kibana	5	1032	September 25, 2017
Parsing email data with regex in scripted field Kibana	6	1500	July 24, 2020
Problem with regex scripted field kibana using painless lang! Elasticsearch painless	1	426	October 19, 2020
Painless regex does not match Elasticsearch	1	725	July 4, 2018
Painless scripted fields with regex Elasticsearch	8	8822	March 30, 2018

Painless script regex

Related topics